Insulin Pump Hacking: Sensationalism or Legitimate Threat?

• "Hackers can kill Diabetics with Insulin Pumps from a half mile away - Um, no. Facts vs. Journalistic Fear mongering"
• "Even the human bloodstream isn't safe from computer hackers." 
• "Hacked: Jay Radcliffe, Insulin Pumps, and Diabetes Sensationalism."
• "OMG!!! What next?????"
• "In a dramatic Black Hat presentation like some kind of insulin Al Qaeda, security researcher Jay Radcliffe explains how an attacker in the cyber world could launch a wireless hack up to a half mile away from a victim, to remotely control an insulin pump and potentially kill a person in the real world." (Computerworld)

Could implanted medical devices that use wireless communication, such as pacemakers, be maliciously hacked to threaten patients' lives? Kevin Fu is no stranger to such overblown scenarios based on his research, though he prefers to stick to talking about technical details. But Fu, a software engineer and assistant professor of computer science, is a security guy. And security people think differently.

That quote neatly sums out both sides of the issue: It's a problem worthy of consideration, but not something people with insulin pumps (or other life-preserving devices) should waste much time worrying about.

A PR director from Medtronic’s insulin pump subsidiary MiniMed Inc. wrote the following on diabetes social media site TuDiabetes.org: “To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.”

The drive behind it was to convince manufacturers of insulin pumps to consider the topic. As Radcliffe explains on Six Until Me: 

"And vendors need to know about these vulnerabilities. Is it deterring from actual diabetes cure research? I don't think so, but if it is, people can't be mad at me for bringing the issue up. If you want your insulin pumps to be safer, I have to do this. I'm sorry if it makes people upset, but I'm doing this as ethically as possible. I didn't disclose the brand of device that I wear, and I kept the company protected to the best of my ability."??

So, I'm left wondering, how successful can a tactic like this be—describing a problem like this at a hacking conference? If Radcliffe's target audience was device manufacturers, is there a better way to get their attention? Radcliffe spoke to this point by acknowledging that some diabetic bloggers are critical of his actions because the fear generated by this publicity could result in an increase in time FDA takes to approve devices. 

But Radcliffe's aim here is to simply bring attention to the issue. "Fifteen years ago, when we did research on vulnerabilities in computer networks, we were ignored," he says. "They said that the risks were too small, and the 'Internet' was only used for universities sharing scientific research data. It's now the backbone of the economy handling almost all of our financial data transactions and commerce," he adds. "While there is very little risk to the individual insulin pump user, the fact we have insecure embedded computers responsible for critical health functions should give pause to everyone involved. We hold banks responsible for security of a $10 online purchase, but we'll give medical device makers a free pass on not securing the devices responsible for our health or even our lives?  When we spend upwards of $6000 for a medical device I think we deserve to have that device be secure."

—Brian Buntz

Note: This blog post was edited after it was initally posted. Quotes from Jay Radcliffe were added and an inaccuracy regarding his hacking of the insulin pump was corrected.